All,
Here is another cut at the draft.
Note, I've basically taken an axe to it in order to
shorten it. I'm following Spaf's sagely advice to make
the statement as short and succinct as possible (was that
redundant?).
Some other points...
1) One of the primary concerns here is the concept of
full disclosure and public dissemination of of exploit
code. In this version, I've tried to push the virtues
of that concept without getting bogged down in controversial
white hat/black hat sorts of questions.
2) Following LeBlanc's suggestion, I've removed stuff that
does not directly the main thesis.
3) I've condensed several of the paragraphs in the middle
of the draft. Hopefully this reduces the occurances of
repeating what is essentially the same arguement and
shortens the piece while keeping it accurate.
4) I've displayed my preferance for short paragraphs
and have added some paragraph breaks.
***********************************************************
Dear <treaty drafters>
We are a group of security experts who participate in the Common
Vulnerabilities and Exposures Initiative. This project is a
collaboration between a broad range of responsible computer security
experts and companies to develop a common industry wide set of names for
the many different vulnerabilities known in computer systems. As such,
we represent a cross-section of the technical community which works on
computer security vulnerabilities.
As security experts, we have some technical concerns with respect to
Article 6, which appears to be vague with respect to the use,
distribution, or possession of software that could be used to violate
the security of computer systems.
We note that it is critically important to the advancement of science
and engineering techniques for computer security professionals to be
able to test software looking for new vulnerabilities, determine
the presence of known vulnerabilities in existing systems, and exchange
information about such vulnerabilities with each other. Therefore,
most professionals and companies in this field routinely develop, use,
and share scripts and programs designed to exploit vulnerabilities.
In addition, these exploits are often included in commercial tools
used by systems administrators and security experts to test the security
of their systems.
It is technically very difficult or impossible to distinguish the
tools used for these legitimate and important purposes from the tools
used by computer criminals to commit unauthorized break-ins. Further,
important tools and techniques are regularly published by previously
unknown individuals or groups. To criminalize their research and
educational activities would be to slow the important progress of
computer security research.
We are concerned that Article 6 may prevent, impede, or criminalize
such responsible development and use of exploit tools. This would
have the unintended consequence of making computer systems LESS
secure since it would stifle critical computer research, needlessly
hamper
the development of commercial security tools, and ultimately limit the
ability of systems and security administrators to test and validate
the security of their systems.
We ask that the treaty drafters specifically recognize the legitimate
and important role that the creation and public dissemination of
demonstration code plays in advancing the information security field.
Moreover, we urge that appropriate laws criminalizing the misuse of
such tools replace the ownership or creation clauses of the treaty.
Signed,
<name> <affiliation>
"Organizational affiliations are listed for
identification purposes only, and do not necessarily reflect the
official opinion of the affiliated organization."
--
==============================================================
Dave Mann || e-mail: dmann@bos.bindview.com
Senior Security Analyst || phone: 508-485-7737 x254
BindView Corporation || fax: 508-485-0737